Product Details — Langflow
Langflow is an open-source platform used to visually design and execute LLM workflows through a web interface and backend APIs. It is commonly integrated with internal tools, model providers, and automation pipelines. Because it evaluates logic dynamically and supports workflow import/export, strict trust boundaries and execution controls are expected. The vulnerabilities below originate from weaknesses in those exact areas.
Consolidated Vulnerability Overview
| Vulnerability Name | CVE ID | Severity | Attack Type | Authentication | Impact |
|---|---|---|---|---|---|
| Eval Injection | CVE-2026-0769 | Critical | Remote Code Execution | Not Required | Full system compromise |
| Untrusted Control Sphere | CVE-2026-0770 | Critical | Privilege Escalation → RCE | Not Required | Root-level compromise |
| Unsafe Deserialization | CVE-2026-0772 | High | Remote Code Execution | Required | Application takeover |
CVE-2026-0769 — Eval Injection Leading to Unauthenticated RCE
Vulnerability details
It was identified that Langflow evaluates user-supplied expressions as part of workflow configuration and execution logic. In certain execution paths, these expressions are processed without adequate sandboxing or input sanitization. As a result, arbitrary code supplied by an external actor can be evaluated directly by the backend runtime.
The vulnerable behavior is triggered before authentication checks are enforced, allowing exploitation over the network by unauthenticated users.
Exploitation scenario (educational)
A crafted request can be sent to a publicly exposed Langflow endpoint responsible for evaluating node expressions or preview logic. When the payload is processed, the evaluation engine executes it as native code. System commands can then be executed with the privileges of the Langflow service account.
This attack does not rely on memory corruption and is highly reliable, making exploitation practical even for low-skill attackers.
Impact
- Remote execution of arbitrary system commands
- Exposure of API keys, model credentials, and environment secrets
- Possibility of lateral movement from the compromised host
Detection and monitoring
Indicators of compromise
- Expression fields containing interpreter keywords, dynamic imports, or reflection patterns
- Sudden spawning of shell processes from the Langflow service
- Outbound network connections initiated immediately after workflow execution
Recommended log sources
- Application request and debug logs
- API gateway or reverse proxy logs
- Operating system process creation logs
Detection rules
- Alerts should be generated when evaluation inputs contain restricted keywords or syntax
- Any child process spawned by the Langflow runtime should be flagged
- Repeated unauthenticated requests triggering workflow execution should be rate-limited and logged
Official remediation
- Official patch or upgrade: Not published yet by the vendor
- Until an official fix is released, public access should be disabled and dynamic evaluation features should be restricted or removed.
CVE-2026-0770 — Untrusted Control Sphere Resulting in Root RCE
Vulnerability details
It was observed that Langflow implicitly trusts certain control-plane parameters that influence execution behavior. These parameters can be manipulated indirectly through user-accessible inputs such as workflow metadata, configuration imports, or API arguments.
When Langflow is deployed with elevated privileges or permissive container settings, this trust violation allows attacker-controlled values to reach privileged execution paths, resulting in code execution as the root user.
Exploitation scenario (educational)
By injecting crafted control values into workflow definitions or API calls, execution context is altered. These values are later consumed by privileged routines without validation. The backend then executes attacker-supplied logic with root-level permissions.
In containerized deployments, this condition significantly increases the likelihood of container escape.
Impact
- Root-level remote code execution
- Complete host takeover
- Persistence through system-level modification
Detection and monitoring
Indicators of compromise
- Langflow processes running as UID 0
- Unexpected changes to environment variables affecting execution
- Writes to protected directories such as
/etc,/root, or system binaries
Recommended log sources
- Container runtime and orchestration logs
- System authentication and privilege logs
- Configuration change audit logs
Detection rules
- Alerts should be raised if Langflow runs with root privileges
- Any API request modifying execution context should be logged and reviewed
- Container capability changes should be continuously monitored
Official remediation
- Official patch or upgrade: Not published yet by the vendor
- Langflow should be executed as a non-root user with minimal privileges until a fix is released.
CVE-2026-0772 — Unsafe Deserialization Causing Authenticated RCE
Vulnerability details
Langflow supports importing serialized workflow and configuration objects. It was identified that deserialization is performed without strict type enforcement or integrity checks. This allows malicious serialized objects to execute arbitrary code during the deserialization process.
Authentication is required, but no elevated privileges are necessary.
Exploitation scenario (educational)
A legitimate user account is used to upload or import a crafted serialized object. When the backend deserializes the object, embedded executable logic is triggered automatically. No further interaction is required.
This class of vulnerability is especially dangerous because exploitation occurs before application-level validation.
Impact
- Code execution with application privileges
- Abuse of trusted user access
- Potential persistence within application logic
Detection and monitoring
Indicators of compromise
- Deserialization errors followed by abnormal execution behavior
- Imports containing unexpected object structures
- Application crashes correlated with workflow imports
Recommended log sources
- Workflow import/export logs
- Authentication and session logs
- File system monitoring logs
Detection rules
- Only allow strict, schema-validated serialization formats
- Alerts should be generated on deserialization exceptions
- Imported objects should be scanned before processing
Official remediation
- Official patch or upgrade: Not published yet by the vendor
- Unsafe serialization mechanisms should be disabled until a secure implementation is released.
Overall Security Guidance
- Langflow should not be exposed directly to the internet
- All dynamic execution features should be reviewed and minimized
- Least-privilege execution must be enforced at both host and container levels
- Continuous monitoring should be enabled for execution-related anomalies
Once the vendor releases an official patch or upgrade, it should be applied immediately as the only long-term remediation.
